لطفا منتظر باشید ...
Lesson 5 Configuring IP Packet Filters
IP packet filters allow or block packets from passing through specified ports. In a simple network scenario, you do not normally need to create IP packet filters to provide secure Internet access for your client computers. However, in special circumstances, IP packet filters must be used either to allow specific traffic to pass or to block specific traffic from passing from the external to the internal interface on a local network server.
After this lesson, you will be able to
Describe three network scenarios that require IP packet filters
Create and configure IP packet filters for your network
Describe the options that can be configured for packet filtering
Estimated lesson time: 45 minutes
When to Use IP Packet Filters
IP packet filters open or close ports statically; that is, they leave ports open or closed as long as the filters remain enabled. In most cases, however, it is preferable to open and close ports dynamically—only as needed, as protocol rules and site and content rules allow. Therefore, it is usually recommended that you create access policy rules to allow internal clients access to the Internet, or create publishing rules to allow external clients access to internal servers. For example, suppose you want to grant all internal users access to HTTP sites. You should not create an IP packet filter that opens port 80. Rather, you should create the necessary site and content rule and protocol rule that allow this access.
However, in some scenarios, you must use IP packet filters. Configure IP packet filters when:
You publish servers that are located on a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet).
You run applications or other services on the ISA Server computer that need to access the Internet.
You want to allow access to protocols that are not based on UDP or TCP.
You can configure IP packet filters only if you install ISA Server in Firewall mode or Integrated mode.
Creating IP Packet Filters
With IP packet filters, you can intercept and either allow or block packets destined for specific computers on your corporate network. You can configure two types of static IP packet filters: allow filters and block filters.
Allow filters are exception filters; all packet types are blocked except for those you specify. If you do not have a packet filter activated for a specific port, the service cannot listen on that port unless the port is opened dynamically. Block filters close the specified ports. You can create and configure block filters to further define the traffic allowed through the ISA Server computer.
These two filter types can be used together. For example, you can create an allow filter, as shown in Figure 4.12, that allows TCP traffic on port 25 between all internal and external hosts, which enables SMTP communication. You can then limit access, creating a block filter that blocks a range of external IP addresses—potential intruders—from sending TCP packets to port 25 on your ISA Server computer.
Figure 4.12 Creating an IP packet filter to enable SMTP communication
IP packet filters are defined by the following parameters:
Servers. The filter allows or blocks communication on the specified server.
Protocol, port, and direction. The filter allows or blocks traffic at the specified port, using the specified protocol in the specified direction.
Local host. This is the name of the computer in the internal network for which communication is open or blocked. You can specify a range or a single IP address on the ISA Server computer.
Remote host. This is the name of the computer on the Internet for which communication is allowed or blocked.
In order to create IP packet filters, packet filtering must be enabled. Packet filtering is enabled in a default ISA Server installation. It can be manually enabled on the IP Packet Filters Properties dialog box.
Follow these steps to create an IP packet filter:
In the console tree of ISA Management, right-click IP Packet Filters, point to New, and then click Filter.
In the New IP Packet Filter wizard, type the name of the protocol definition, and then click Next.
On the Servers page, specify whether you want the IP packet filter to apply to the whole ISA Server array, or to a single server in the array.
On the Filter Mode page, specify whether the IP packet filter allows packets or blocks packets from passing.
On the Filter Type page, select a predefined filter, or select Custom to create a new filter type.
If you select Custom, on the Filter Settings page, specify the IP protocol, direction, and local and remote ports for the IP packet filter.
On the Local Computer page, specify a computer on the local network to which the IP packet filter is applied.
On the Remote Computers page, select the remote computers to which the IP packet filter is applied.
After you create or configure an IP packet filter, you must restart the ISA Server services before the changes will take effect.
Follow these steps to configure a protocol for an IP packet filter:
On the View menu, select Advanced.
In the console tree of ISA Management, click IP Packet Filters.
In the details pane, right-click the IP packet filter you want to modify, and then click Properties.
Click the Filter Type tab.
Do one of the following:
Click Predefined, and then click a filter from the list.
Click Custom, and then in the IP Protocol drop-down list box, click one of the following: Any, ICMP, TCP, UDP, or Custom Protocol.
If you click Custom and the ICMP protocol, do the following:
In the Direction drop-down list box, click Inbound, Outbound, or Both.
In the Type drop-down list box, click All Types or Fixed Type. If you click Fixed Type, enter the type number in the associated text box.
In the Code drop-down list box, click All Codes or Fixed Code. If you click Fixed Code, type the code number in the associated text box.
If you click the Custom radio button and then select Any IP Protocol, specify the direction: Inbound, Outbound, or Both.
If you click the Custom radio button and then select the UDP protocol, do the following:
In Direction, click Receive Only, Send Only, Both, Receive Send, or Send Receive.
In Local Port, click All Ports, Fixed Port, or Dynamic. If you click Fixed Port, in Port Number, type the port number.
In Remote Port, click All Ports or Fixed Port. If you click Fixed Port, in Port Number, type the port number.
If you select Custom and the TCP protocol, do the following:
In Direction, click Inbound, Outbound, or Both.
In Local Port, click All Ports, Fixed Port, or Dynamic. If you click Fixed Port, in Port Number, type the port number.
In Remote Port, click All Ports or Fixed Port. If you click Fixed Port, in Port Number, type the port number.
Follow these steps to apply an IP packet filter to a server:
If you are in Taskpad view, on the View menu, select Advanced.
In the console tree of ISA Management, click IP Packet Filters.
In the details pane, right-click the IP packet filter you want to modify, and then click Properties.
On the General tab in the Servers That Use This Filter section, do one of the following:
Click the All Servers In The Array radio button.
Click the Only This Server radio button, and then click the server to which the filter applies.
Follow these steps to configure an IP packet filter for a local computer:
On the View menu, select Advanced.
In the console tree of ISA Management, click IP Packet Filters.
In the details pane, right-click the IP packet filter you want to modify, and then click Properties.
On the Local Computer tab:
To specify that the IP packet filter be applied to the default IP address of each external interface of the local ISA Server computer, click the Default IP Address(es) On The External Interface(s) radio button.
To specify that the IP packet filter be applied to a specific IP address of the local ISA Server computer, click the This ISA Server's External IP Address radio button, and type the desired IP address of the ISA Server computer.
To select a specific computer on a perimeter network, click the This Computer (On The Perimeter Network) radio button, and type an IP address that is not on the ISA Server computer.
To specify a range of IP addresses on the perimeter network, click the These Computers (On The Perimeter Network) radio button, and then type the appropriate information in Subnet and Mask fields.
Follow these steps to configure an IP packet filter for a remote computer:
On the View menu, select Advanced.
In the console tree of ISA Management, click IP Packet Filters.
In the details pane, right-click the IP packet filter you want to modify and then click Properties.
On the Remote Computer tab, specify the computer to which the IP packet filter should apply by clicking one of the following options:
If the filter applies to all external computers, click the All Remote Computers radio button.
If the filter applies to one computer, click the This Remote Computer radio button, and then type the IP address of the external computer to which the filter applies.
If the filter applies to a range of computers, click the This Range Of Computers radio button, and then type the appropriate information in the Subnet and Mask fields.
Configuring Packet Filter Options
By right-clicking the IP Packet Filters folder in ISA Management, selecting Properties, and selecting the Packet Filters tab, you can configure the following packet filtering features:
IP fragment filtering
IP option filtering
Log packet from "Allow" filters
Figure 4.13 shows the options available on the Packet Filters tab.
Figure 4.13 Packet filter options can be set on the Packet Filters tab of the IP Packet Filters Properties dialog box.
IP Fragment Filtering
When you check the Enable Filtering Of IP Fragments check box, you allow the Web Proxy service and Firewall service to filter packet fragments. By filtering packet fragments, all fragmented IP packets are dropped. A well-known attack involves sending fragmented packets and then reassembling them in such a way that may cause harm to the receiving system.
Do not enable IP fragment filtering if you want to allow video streams or quality audio streams to pass through ISA Server.
Follow these steps to enable IP fragment filtering:
In the console tree of ISA Management, right-click IP Packet Filters, and then click Properties.
On the General tab, select the Enable Packet Filtering check box if it is not already selected.
On the Packet Filters tab, select the Enable Filtering of IP Fragments check box.
IP Options Filtering
By enabling IP options filtering, you can configure ISA Server to refuse all packets that have the words "IP Options" in the header.
Follow these steps to enable IP options filtering:
In the console tree of ISA Management, right-click IP Packet Filters, and then click Properties.
On the General tab, select the Enable Packet Filtering check box if it is not already selected.
On the Packet Filters tab, select the Enable Filtering IP Options check box.
Logging Packets
All packets that pass through ISA Server can be logged to the packet filter log. You can configure exactly which packets are logged by following these guidelines:
By default, when you install ISA Server, all dropped packets are logged to the packet filter log. When you disable packet filtering, logging is turned off altogether.
You can configure ISA Server to disable logging for packets that are dropped due to any specific block-mode IP packet filter. This is configured on the properties dialog box of the particular block-mode IP packet filter.
You can configure ISA Server to log all packets—allowed and dropped—that are communicated by way of ISA Server. When you enable logging of allowed packets, all packets that pass through ISA Server are logged in the packet filter log.
Logging allowed packets and blocked packets causes a considerable load on the server.
Follow these steps to log allowed packets:
In the console tree of ISA Management, right-click IP Packet Filters, and then click Properties.
On the Packet Filters tab, select the Log Packets From 'Allow' Filters check box.
Practice: Running Internet Services on the ISA Server Computer
In this exercise, you create a packet filter that allows traffic to pass through TCP port 110. This allows your ISA Server computer to receive POP3 mail.
To create an IP packet filter to allow the POP3 service
Open ISA Management.
Navigate to Servers and Arrays, MyArray, Access Policy, IP Packet Filters.
Right-click the IP Packet Filters folder, point to New and click Filter.The New IP Packet Filter wizard appears.
In the IP Packet Filter Name text box, type POP3 Filter, and then click Next.
On the Servers screen, leave All ISA Server Computers In The Array as the default, and then click Next.
On the Filter Mode screen, leave Allow Packet Transmission as the default, and then click Next.
On the Filter Type screen, select the Custom radio button, and then click Next.The Filter Settings screen appears.
Click the IP Protocol drop-down list box and select TCP.
Click the Local Port drop-down list box and select Dynamic.
Click the Remote Port drop-down list box and select Fixed Port.The Port Number text box to the right of the Remote Port drop-down list box becomes available.
In the Port Number text box, type 110.
Click Next.
On the Local Computer screen, leave Default IP Address(es)... as the default, and then click Next.
On the Remote Computers screen, leave All Remote Computers as the default, and then click Next.The Completing the New IP Packet Filter Wizard screen appears.
Click Finish.The POP3 Filter packet filter appears in the list of IP packet filters.
Exercise 2: Creating an IP Packet Filter for Outgoing (SMTP) Mail
In this exercise, you create a packet filter that allows traffic to pass through TCP port 25. This allows your ISA Server computer to send SMTP mail.
To create an IP packet filter to allow the SMTP service
In ISA Management, navigate to Servers and Arrays, MyArray, Access Policy, IP Packet Filters.
Right-click the IP Packet Filters folder, point to New, and click Filter.The New IP Packet Filter Wizard appears.
In the IP Packet Filter Name text box, type SMTP Filter, and then click Next.
On the Servers screen, leave All ISA Server Computers In The Array as the default, and then click Next.
On the Filter Mode screen, leave Allow Packet Transmission as the default, and then click Next.
On the Filter Type screen, select the Custom radio button, and then click Next.The Filter Settings screen appears.
Click the IP Protocol drop-down list box and select TCP.
Click the Local Port drop-down list box and select Dynamic.
Click the Remote Port drop-down list box and select Fixed Port.The Port Number text box to the right of the Remote Port drop-down list box becomes available.
In the Port Number text box, type 25.
Click Next.
On the Local Computer screen, leave Default IP Address(es)... as the default, and then click Next.
On the Remote Computers screen, leave All Remote Computers as the default, and then click Next.The Completing the New IP Packet Filter wizard appears.
Click Finish.The SMTP Filter appears in the list of IP packet filters in ISA Management.
Exercise 3: Creating an IP Packet Filter for NNTP
In this exercise, you create a packet filter that allows traffic to pass through TCP port 119. This allows your ISA Server computer to connect to NNTP servers and to post and read NNTP messages.
To create an IP packet filter to allow the NNTP service
In ISA Management, navigate to Servers and Arrays, MyArray, Access Policy, IP Packet Filters.
Right-click the IP Packet Filters folder, point to New and click Filter.The New IP Packet Filter wizard appears.
In the IP Packet Filter Name text box, type NNTP Filter, and then click Next.
On the Servers screen, leave All ISA Server Computers In The Array as the default, and then click Next.
On the Filter Mode screen, leave Allow Packet Transmission as the default, and then click Next.
On the Filter Type screen, select the Custom radio button, and then click Next.The Filter Settings screen appears.
Click the IP Protocol drop-down list box and select TCP.
Click the Local Port drop-down list box and select Dynamic.
Click the Remote Port drop-down list box and select Fixed Port.The Port Number text box to the right of the Remote Port drop-down list box becomes available.
In the Port Number text box, type 119.
Click Next.
On the Local Computer screen, leave Default IP Address(es)... as the default, and then click Next.
On the Remote Computers screen, leave All Remote Computers as the default, and then click Next.The Completing the New IP Packet Filter Wizard screen appears.
Click Finish.The NNTP Filter appears in the list of IP packet filters in ISA Management.
Exercise 4: Creating an IP Packet Filter to Allow Outgoing Web Requests (DNS Queries)
In this exercise, you create a packet filter that allows traffic to pass through UDP port 53. This allows your ISA Server computer to make successful DNS queries.
To create an IP packet filter to allow DNS queries
Open the ISA Management console.
Navigate to Servers and Arrays, MyArray, Access Policy, IP Packet Filters.
Right-click the IP Packet Filters folder, point to New and click Filter.The New IP Packet Filter wizard appears.
In the IP Packet Filter Name text box, type DNS Query, and then click Next.
On the Servers screen, leave All ISA Server Computers In The Array as the default, and then click Next.
On the Filter Mode screen, leave Allow Packet Transmission as the default, and then click Next.
On the Filter Type screen, select the Custom radio button, and then click Next.The Filter Settings screen appears.
Click the IP Protocol drop-down list box and select UDP.
Click the Local Port drop-down list box and select Dynamic.
Click the Remote Port drop-down list box and select Fixed Port.The Port Number text box to the right of the Remote Port drop-down list box becomes available.
In the Port Number text box, type 53.
Click Next.
On the Local Computer screen, leave Default IP Address(es)... as the default, and then click Next.
On the Remote Computers screen, leave All Remote Computers as the default, and then click Next.The Completing the New IP Packet Filter Wizard screen appears.
Click Finish.The DNS query packet filter now appears in the list of IP packet filters in ISA Management.
Exercise 5: Creating an IP Packet Filter for Web Content (HTTP)
In this exercise, you create a packet filter that allows traffic to pass through TCP port 80. This allows your ISA Server computer to receive Web content.
To create an IP packet filter to allow Web content
Open ISA Management.
Navigate to Servers and Arrays, MyArray, Access Policy, IP Packet Filters.
Right-click the IP Packet Filters folder, point to New and click Filter.The New IP Packet Filter wizard appears.
In the IP Packet Filter Name text box, type HTTP Client, and then click Next.
On the Servers screen, leave All ISA Server Computers In The Array as the default, and then click Next.
On the Filter Mode screen, leave Allow Packet Transmission as the default, and then click Next.
On the Filter Type screen, select the Custom radio button, and then click Next.The Filter Settings screen appears.
Click the IP Protocol drop-down list box and select TCP.
Click the Local Port drop-down list box and select Dynamic.
Click the Remote Port drop-down list box and select Fixed Port.The Port Number text box to the right of the Remote Port drop-down list box becomes available.
In the Port Number text box, type 80.
Click Next.
On the Local Computer screen, leave Default IP Address(es)... as the default, and then click Next.
On the Remote Computers screen, leave All Remote Computers as the default, and then click Next.The Completing the New IP Packet Filter Wizard screen appears.
Click Finish.The HTTP Client packet filter now appears in the list of IP packet filters in ISA Management.
Note that this packet filter only allows HTTP content and not S-HTTP content. To allow the ISA Server to browse secure Web sites, you would need to create an additional allow packet filter set to TCP port 443.
Lesson Summary
Though access policy rules and publishing rules are the preferred means of allowing access to and from your network, you must, in some scenarios, use IP packet filters to control access instead. For example, you will need to use IP packet filters if you publish servers that are located on a perimeter network, or if, on your ISA Server computer, you run applications and services that need to listen to the Internet. A third scenario that calls for IP packet filters is when you want to allow access to protocols that are not based on UDP or TCP. IP packet filters can function as either allow filters or block filters.
You can configure three types of options for IP packet filters: IP fragment filtering, IP option filtering, and "Allow" filter logging. By filtering packet fragments, all fragmented IP packets are dropped, which prevents a well-known type of network attack but also prevents video and audio streams from passing through ISA Server. With IP Options filtering, you can configure ISA Server either to filter or to refuse all packets that have the words IP Options in the header. Finally, through "Allow" filter logging, you can configure ISA Server to log all packets—allowed and dropped—that are communicated by way of ISA Server. (Dropped packets are logged by default.)
